Featured Slideshow

In a Dallas courtroom on Thursday, writer and activist Barrett Brown was sentenced to 63 months in prison and was ordered to pay a little more than $890,000 in restitution and fines, according to reports.

Upcoming Live Events

Be sure to stay tuned for breaking news on our 2015 conference and expo, which promises to deliver even more innovative programming and an enhanced showcase of the latest cyber security solutions you must see.

Twitter launches forward secrecy, makes decryption nearly impossible

Twitter already uses HTTPS to provide its customers with security, but on Friday the microblogging company upped its encryption defenses by introducing ‘forward secrecy' for its twitter.com, api.twitter.com and mobile.twitter.com services.

But what is forward secrecy and, if it so important, why doesn't everyone use it?

“Encryption systems that lack forward secrecy have a single secret key that's used over and over again to set up the encryption,” Seth Schoen, senior staff technologist with Electronic Frontier Foundation (EFF), told SCMagazine.com on Monday. “That key is effectively a master key for all of the communications that use it. Anyone who learns it can unscramble all of them, past or future.”

Using Twitter as an example, Schoen said that if someone were to record all encrypted data going in and out of a Twitter's servers for years, and then they were to discover the secret key, then that person would be able to decrypt all of the collected information.

“There are encryption techniques that don't have this property, where there is effectively no single master key, and even the parties to a communication lose the ability to decrypt it after the communication is over,” Schoen said, explaining this is made possible due to a cryptographic key exchange known as Diffie-Hellman. “These techniques are said to have forward secrecy.”

The HTTPS listed in front of a URL in a web browser indicates that the website communicates with other internet services by using Transport Layer Security (TLS) encryption, Schoen said, explaining that some modes of TLS allow for forward secrecy.

However, the reason why all HTTPS ready websites have not enabled forward secrecy – it has been available for about a decade and has picked up steam in the past few years – is because it is very computationally intensive, Schoen said, adding this means the server has to do more mathematics for each incoming connection.

“Many people have become particularly concerned about forward secrecy on the Internet because of the government's position in the Lavabit case,” Schoen said. “There, the government claims that it can use a search warrant to seize a webmail company's secret encryption keys. If this is so, and the keys were used in a non-forward secret mode, the government could then use the keys to go back and decrypt any encrypted messages that it intercepted on the wire at any time in the past.”

Google became one of the first big internet companies to implement forward secrecy in 2011, and since then several other companies have followed, including Dropbox, Facebook and Tumblr, according to an EFF graph that charts best encryption practices.

Twitter's Jacob Hoffman-Andrews blogged extensively about the initiative, explaining that the microblogging company hopes forward secrecy becomes the new norm for web service owners. A Twitter representative did not respond to a SCMagazine.com request for comment.

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.